Virus Encyclopedia

Oscarbot.YQ

Effects

Oscarbot.YQ displays annoying messages when users are browsing through the Internet Explorer, so that users access websites that advertise different pay services. Although users close these messages, they will be displayed after a while.

Oscarbot.YQ carries out the following actions:

It reaches the computer in a file with the name imagFaceBook, passing itself off as an image when it is actually an executable file:

When it is run, the Internet Explorer browser is opened and the legitimate website of myspace is displayed in order to distract users:

If users try to close the browser or open a new website, a message like the following will be displayed:

Users are required to make a survey in order to access certain content.

If users click on the "Aceptar" button, the browser will be closed or another website will be opened.

If users click the "Cancelar" button, they will be accepting to make the survey and a message like the following will be displayed:

Each option points to a different website depending on the users' choice, as can be seen in the image below:

If users follow any of these links, they will be redirected to websites in which different pay services are offered.

If, on the contrary, they do not follow any link, the following message will be displayed:

Whe users access certain websites, like for example Facebook's, a message like the following is displayed:

Additionally, it carries out these other actions:- It adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.- It stops the Windows Update service, so that the Windows automatic updates are not downloaded.- It leaves an open port with a connection to a certain website in order to receive commands.

Infection strategy

Oscarbot.YQ creates the following files in the Windows directory:

JUSCHED.EXE, which is a copy of the worm.

MDLL.DL. It is a data file which contains information about the websites with which it connects.

WINTYBRD.PNG and WINTYBRDF.JPG, which belongs to the messages Human Confirmation! displayed by the worm.

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List%path%\imagFaceBook.exe = %windir%\jusched.exe:*:Enabled:Java developer Script Browsewhere %path% belongs to the path in which users have run the original file.By creating this entry, it adds itself to the list of applications authorized by the Windows firewall, in order to avoid being blocked.

Means of transmission

Oscarbot.YQ spreads sending meesages that point to the download of the worm via instant messaging programs like Yahoo! Messenger and via the Skype.